Become an AWS pro by understanding IAM, learning to write policies, and configuring access. Get hands-on with realistic examples, developed by AWS Solution Certified Architects. No setup, no cleanup, no hassle.

A Practical Guide to AWS IAM by Tamás Sallai_468 x 60 .png

This course is about how AWS IAM works and how to write policies to control access in an AWS account. In this course, you will learn how AWS APIs work, explore different parts of the requests made to the APIs and elaborates on how access is determined. Additionally, you will dive into how to configure access inside AWS by describing the policy structure and the 5 policy types AWS supports.

Further, you will become familiar with how the elements in the request and the policies fit together. You will also determine whether the operation is allowed or denied by demonstrating through several step-by-step realistic examples that show exactly how IAM evaluates access, thus providing templates for how to apply these protections to AWS environments.

Lastly, this course offers you some practical tips on how to secure an account both as an administrator and as a developer. It explains the best practices and the usual pitfalls of AWS security.

AWS Security Fundamentals: A Practical Guide to AWS IAM

When a request reaches an AWS API, the IAM service needs to allow or deny it. But before we dive into how it does that, let's see what information it has.

A request represents that *somebody(1)* wants to *do something(2) with something(3)*.

Let's see what each of these 3 parts mean.

The first one is the **Principal**. It is the user, the role, the AWS service, or some special entity that sends the request.

The second part is the **Action**. It defines what the Principal wants to do, such as reading an object or creating a new Lambda function.

The third is the **Resource**. It is the logical entity in the account that is the subject of the request. For example, the specific S3 bucket to delete, or the EC2 instance to launch.

Let's look at some examples.

* An IAM user, Bob, reads an object from an S3 bucket. The Principal is Bob, the action is `s3:GetObject`, and the resource is the S3 object.

* An IAM role, Admin, calls a Lambda function. The Principal is the Admin role, the action is `lambda:InvokeFunction`, and the resource is the function itself.

* A visitor opens an S3 bucket website in the browser. The Principal is the anonymous user, a special entity, the action is `s3:GetObject`, and the resource is the `index.html` object.

* Finally, an API Gateway calls a Lambda function. The Principal is the `apigateway.amazonaws.com` service, the action is `lambda:InvokeFunction`, and the resource is the function.

> **Recap:**<br>
The *Principal* is the entity *that* is initiating the request.
<br>The *Action* is the *operation*.
<br>The *Resource* is the *target* of the operation.

Let's take a short quiz on the concepts studied so far in this lesson!

Learn about the first access element that constitutes a request made to an AWS API.

Introduction

Access Control Basics

User Management using IAM

IAM Policies

Request Evaluation Flow and Examples

Role Management Using Identity and Access Management (IAM)

How to Secure an AWS Account

Conclusion

Appendix

Access elements: Principal